US11032259B1ActiveUtility

Data protection in a storage system

97
Assignee: PURE STORAGE INCPriority: Sep 26, 2012Filed: Oct 23, 2018Granted: Jun 8, 2021
Est. expirySep 26, 2032(~6.2 yrs left)· nominal 20-yr term from priority
H04L 9/085H04L 63/061H04L 9/0822H04L 63/10H04L 2463/062H04L 63/0428H04L 9/0894G06F 2221/2107G06F 2221/2131G06F 21/78
97
PatentIndex Score
22
Cited by
209
References
20
Claims

Abstract

In a storage system that includes a plurality of NVMe SSDs, data protection may be carried out by: for each of the plurality of NVMe SSDs, encrypting a device key using a master secret, wherein the device key, when not encrypted, is used to encrypt and decrypt data in one or more namespaces on the NVMe SSD; generating a plurality of shares from the master secret; and storing a separate share of the plurality of shares in a namespace prohibited from encryption on each NVMe SSD.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 for each of the plurality of NVMe SSDs (‘Non-Volatile Memory Express Solid State Drives’) of a storage system, encrypting a device key using a master secret, 
 wherein the device key is used to encrypt and decrypt data in one or more namespaces on the NVMe SSD; 
 generating a plurality of shares from the master secret; and 
 storing a separate share of the plurality of shares in a namespace prohibited from encryption on each NVMe SSD. 
 
     
     
       2. The method of  claim 1 , wherein each namespace other than the namespace that is prohibited from encryption is accessible for writing only with a device key and accessible for reading without the device key. 
     
     
       3. The method as recited in  claim 2 , wherein encrypting, for each NVMe SSD, the device key further comprises encrypting the device key using the master secret and a value unique to the corresponding NVMe SSD. 
     
     
       4. The method as recited in  claim 3 , further comprising:
 reconstructing the master secret using a given number of shares of the plurality of shares and decrypting encrypted device keys using the master secret to generate decrypted device keys; 
 storing the decrypted device keys in a volatile memory; and 
 using the decrypted device keys to perform a plurality of accesses to one or more of the NVMe SSDs. 
 
     
     
       5. The method as recited in  claim 1 , wherein a number of shares needed to reconstruct the master secret is greater than a number of shares associated with any single physical grouping of the NVMe SSDs. 
     
     
       6. The method as recited in  claim 1 , further comprising decrypting one or more encrypted device keys using the master secret. 
     
     
       7. The method as recited in  claim 6 , further comprising storing the decrypted device keys in a volatile memory. 
     
     
       8. The method as recited in  claim 7 , further comprising using the decrypted device keys to perform a plurality of accesses to one or more of the NVMe SSDs. 
     
     
       9. A storage system comprising:
 a plurality of Non-Volatile Memory Express (‘NVMe’) Solid State Drives (‘SSDs’) and a controller, wherein the controller is configured to carry out: 
 for each of the plurality of NVMe SSDs, encrypting a device key using a master secret, wherein the device key is used to encrypt and decrypt data in one or more namespaces on the NVMe SSD; 
 generating a plurality of shares from the master secret; and 
 storing a separate share of the plurality of shares in a namespace prohibited from encryption on each NVMe SSD. 
 
     
     
       10. The storage system of  claim 9 , wherein each namespace other than the namespace that is prohibited from encryption is accessible for writing only with a device key and accessible for reading without the device key. 
     
     
       11. The storage system as recited in  claim 10 , wherein encrypting, for each NVMe SSD, the device key further comprises encrypting the device key using the master secret and a value unique to the corresponding NVMe SSD. 
     
     
       12. The storage system of  claim 11 , wherein the controller is further configured to carry out:
 reconstructing the master secret using a given number of shares of the plurality of shares. 
 
     
     
       13. The storage system as recited in  claim 12 , wherein the controller is further configured to carry out decrypting one or more encrypted device keys using the master secret. 
     
     
       14. The storage system as recited in  claim 13 , wherein the controller is further configured to carry out storing the decrypted device keys in a volatile memory. 
     
     
       15. The storage system as recited in  claim 14 , wherein the controller is further configured to carry out using the decrypted device keys to perform a plurality of accesses to one or more of the NVMe SSDs. 
     
     
       16. The storage system of  claim 9 , wherein a number of shares needed to reconstruct the master secret is greater than a number of shares associated with any single physical grouping of the NVMe SSDs. 
     
     
       17. A storage system comprising:
 a plurality of storage devices and a controller, wherein each storage device includes an interposer that couples the storage device to the storage system, and wherein the controller is configured to carry out: 
 for each of the plurality of storage devices, encrypting a device key using a master secret, wherein the device key is used to encrypt and decrypt data in the storage device; 
 generating a plurality of shares from the master secret; and 
 storing a separate share of the plurality of shares in memory of each storage device's interposer. 
 
     
     
       18. The storage system of  claim 17 , wherein each storage device is accessible for writing only with a device key and accessible for reading without the device key. 
     
     
       19. The storage system as recited in  claim 17 , wherein encrypting, for each storage device, the device key further comprises encrypting the device key using the master secret and a value unique to the corresponding storage device. 
     
     
       20. The storage system of  claim 19 , wherein the controller is further configured to carry out the steps:
 reconstructing the master secret using a given number of shares of the plurality of shares; 
 decrypting one or more encrypted device keys using the master secret; 
 storing the decrypted device keys in a volatile memory; and 
 using the decrypted device keys to perform a plurality of accesses to one or more of the storage devices.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.